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Abstract 

We discuss the question of the existence of quantum one-way permutations. First, we prove 
the equivalence between inverting a permutation and that of constructing a polynomial size net- 
work for reflecting about a given quantum state. Next, we consider the question: if a state is 
difficult to prepare, is the operator reflecting about that state difficult to construct? By revisiting 
Grover's algorithm, we present the relationship between this question and the existence of one- 
way permutations. Moreover, we compare our method to Grover's algorithm and discuss possible 
applications of our results. 



1 Introduction 

Quantum computation is a rapidly growing field which explores the relationship between quantum 
physics and computation Q. We have two strong indications that quantum systems are potentially 
more efficient than their classical counter-parts at performing computational tasks. One is Shor's 
algorithm which solves the factoring problem and the discrete logarithm problem in quantum 
polynomial time. The other is Grover's algorithm |3|, which works quadratically faster than any 
classical algorithm for the search problem in the oracle setting. On the other hand, Bennett, Bern- 
stein, Brassard, and Vazirani Q have shown that with probability 1 there exists a quantum one-way 
permutation relative to a random permutation oracle. 

The existence of one-way functions is one of the most important open problems in classical com- 
putation. For example, it is well-known that one-way functions have applications in cryptography ||^. 
Loosely speaking, a one-way function is one that is easy to compute but hard to invert. To make this 
notion precise, we define a function / to be (quantum) one-way^ if / is one-one, / is honest, / can 
be computed in (quantum) polynomial time, and /^^ is not computable in (quantum) polynomial 
time. By / being honest we mean that there exists a polynomial p such that \x\ < p{\f(x)\), where 
|.| denotes the length of binary strings. Note that in this paper we are discussing one-way functions 
in the setting of the worst case complexity It is thought that the proof of existence of one-way 
function is a difficult problem, since it is equivalent to the separation between the complexity classes 
P and UP ||. 

We address the question of the existence of quantum one-way permutations which is a restricted 
type of one-way functions. First, we consider a necessary and sufficient condition for inverting effi- 
ciently a polynomial time computable permutation. In the classical case, Hemaspaandra and Rothe 
presented a necessary and sufficient condition for the existence of one-way permutations. We show 
that in the quantum setting, the problem of inverting a permutation in polynomial time is equivalent 
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to the problem of constructing polynomial size networks for the reflections about some quantum states 
I'i/'), i.e., 2|'0)(?/;| — /. In the proof of this equivalence, we present a quantum algorithm for invert- 
ing a permutation efficiently under the condition that the reflections about their quantum states are 
efficiently implementable. Similar to Grover's algorithm, our algorithm also consists of the iteration 
of the tagging and reflection operators ||]. We show that the exponential speed-up over Grover's 
algorithm is possible if and only if the efficient reflections about some quantum states that we will 
define in the paper, are possible. 

Next, we consider the relationship between the complexity of preparing a state and the reflection 
about that state. We deflne a unitary operator on n qubits to be easy if there exists a polynomial 
size network implementing the operator up to a global phase. The n-qubit state is defined to be 
easy if there exists a polynomial size network which produces the state \(p) up to a global phase. It is 
straightforward to see that if a state is easy, the reflection about that state is also easy. We consider 
the other direction, which seems to hold at first glance. // the reflection about a state is easy, the state 
itself is easy (we will refer to this statement as Assumption A). However, by exposing another view 
of Grover's algorithm, we can find a counter-example such that Assumption A is false if a quantum 
one-way permutation exists. 

This paper is organized as follows. In Section 2, we prove the equivalence between inverting a 
permutation and constructing a quantum network implementing the reflections about some special 
quantum states. In Section 3, we revisit Grover's algorithm from the viewpoint of Assumption A, and 
show that Assumption A is false if a quantum one-way permutation exists. Moreover, we compare 
our algorithm with Grover's algorithm in the light of Assumption A. In Section 4, we discuss other 
related results and possible applications of our results. 

2 Main Result 

For any permutation / on rt-bit strings, let Uf denote the unitary operator mapping the basis 
state \x)\y) to \x)\f{x) y), where |a;) and \y) each consist of n qubits. We consider the following 
problem called hereafter INVERT: for any given x E {0, 1}", find f^^{x). In the setting where / is 
given as an oracle, Grover's algorithm can solve INVERT with quadratic speed-up over any classical 
algorithm [||. In his algorithm, Grover uses the tagging operator O defined as 

0\x)\y) = {~-l)'^^ny>\x)\y) 

and the reflection about the uniform superposition defined as 

ye{o,i}" 

i.e. 2|V')(V'| ^ I, which is also called the inversion about the average amplitude. The operator O can 
be simulated by two applications of Uf and n controUed-not gates. Moreover, if / is polynomial time 
computable, then it is also possible to efficiently construct the unitary operator 0[k] defined by 

0[k]\x)\y) = {-lf->^.fkiyy^''k+i.fk+i(y)\x)\y)^ 

where Xi and fiijj) for i = 1, . . . ,n represent the i-th bits of x and f{y). This operator 0[k] will 
enable us to mark all the states \y) such that 2 qubits of \ f{y)) are equal to the corresponding qubits 
of \x). Geometrically, 0[k] can be considered to be the reflection about the hyper-plane spanned by 
the vectors {\y)\ f{y){k,k+i) 7^ X(^k,k+i)}- We show that if we can efficiently implement 0[fc]'s and the 
unitary operator 

2;e{0,l}" 
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where 

y:/(y)(l,2j)=a:(i,2j) 

then we can efficiently invert / by polynomial size network. Conversely, we also can show that if / is 
difficult to invert, then Q^'s are also difficult to construct. 

Now we state and prove this result formally. We say that a set F of unitary operators is easy if 
every U G F is easy. 

Theorem 1: A function / : {0, 1}" {0, 1}" is a quantum one-way permutation if and only if the 
set Fn = {(5j}j=o,i,...,f -1 of unitary operators is not easy. 

Proof: Without loss of generality, we can assume that n is even. 

{=>) Suppose that F„ is easy. Then we show that is computable by a polynomial size quantum 

network. A quantum algorithm (Algorithm A below) computing is as follows. Assume that x is 
given as the input in the first register of the quantum network to be constructed. 



ALGORITHM A 
Step 1 (Preparation). 

Prepare the second register in the uniform superposition 

^ ye{o,i}" 

Step 2 (Iteration). 

For j = to 2: — 1^ implement the following steps 2.j.l-2.j.2. 

Step 2.j.l. Carry out 0[2j + 1] on the first and the second registers. 

Step 2.j.2. Carry out Qj on the first and the second registers. 



Step 2.j.l can be implemented through the following 3 steps: (1) Carry out Uf : \y)\z) i— > \y}\f{y)(B 
z) on the second and third registers. (2) Compare the 2j + 1-th and the 2j + 2-th qubits of the first 
register with the corresponding qubits of the third register, and apply a phase shift of —1 if they are 
same; otherwise do nothing. (3) Carry out U f on the second and third registers. 

Now we show that Algorithm A computes f~^. After Step 1, the state of the system is 

^ yG{0,l}" 

We show that after Step 2.j.2 the state of the system is 

71^1-) E 1^)' 

23 + 2) =a!(l, 23+2) 

which means that Algorithm A computes after ^ iterations. In the case j = 0, the state evolves 
as follows (note that for any x we have |'^o,x) = IV'o)) 



^1-) E 1^) 



or. 



2.0.1 



^i-)f E 1^)- E 1^^) 



\y-f (y) (1,2) ¥=x (^1,2) y-f(y)(i,2)=x(i,2) 
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/2" 



/2^|^o) - 2 ^ \y) 

y-f{y)(i,2)=X(i,2) 



2.0.2 



i=|x)(2|^o)(^o|-/) I V2^|^o)-2 5] \y)\ 
-i=|x) j2VF|Vo)-%/2^|V'o) - 41^-0) E 

V y:/(y)(l,2)=a;(i,2) / 



+2 E iy) 

y:/(j')(l,2)=a:(i,2) 
2 , , 



v 2^ 

a:/(a)(i,2)=a;(i,2) 

On the other hand, suppose that the case j = k— \ holds. Then, following Steps 2.k.l-2.k.2, the state 
evolves as follows 

y-f{y)(i,2k)=X(i,2k) 



2.k.l 



2k 



2 

2k 



E E 

\yj(y)(i,2k)=x(i,2k) y-f(y)(i.2k+2)=X(i,2k+2-j 



y-f{y){1.2k + 2)=X{1^2k + 2) 



2.k.2 



2k 



^Ja:)(2|V^fe,,)(^fc,,|-/) K/2^|V;,,.)-2 ^ \y) 

\ y-fiy){i,2k+2)='-C(i,2k+2) 

\x) (2%/2"-2fc|V;fe,,)-V2"-2fc|^,^^)_4|^fc,,) ^ (V^^.^ly) 



/2" 

V2" 

2^+1 



!/•/(!/)( 1,2(1 + 2)— 2; (l,2fc + 2) 

1 2 E iy) 

J':/(j')(l,2fs + 2)=2:(i_2fc + 2) 

E 12/) ■ 



X 



2 . 

J':/(j')(l,2fc + 2)=2;(i_2fc + 2) 

Thus, the case j — k holds. From the assumption that {Qj} is easy, it is simple to see that Algorithm 
A can be implemented by a polynomial size quantum network. 

(<^=) Suppose that / is not a one-way permutation. Then we show that {(5j}j=o,i f-i can be 

implemented by a polynomial size quantum network. According to the assumption, / and are 
quantum polynomial time computable. The following operator 

Mf : \x) ^ \f{x)) 

can be implemented by a polynomial size quantum network ^ . To see why note that : 

Mf(g)I={Uf-i)-^(g)S(g>Uf, 



4 



where the swap gate S is defined by : |a) |6) ^ |6) (g |a). 

We now show that the unitary operator Qj = (/ (g Mf)Qj{I (g) M/)''' can be implemented by a 
polynomial size quantum network, which means that Qj can also be implemented by a polynomial 
size quantum network. The operator Q'^ can be rewritten as follows 



[a;G{04}" \ \ y,y' 

a:e{oa}" \ y,y' J 



a;e{oa}" \ y,y' J 

J2 I^^X^I® (2k(i,2j)>(a;(i,2j)l®l^j)(^j|-/) 

)(x(i,2,)|0(2|i^,)(V'j|-/)+ 5] \y){y\®i 

a;e{oa}" \ v-y¥'X(i_2j) 

Here, E;,,' denotes E,,,':/(,)(,,,,,=/(,')(i,.„=X(:,.„ ^^^d denotes 

Thus, we can implement Q'j by comparing the first 2j qubits of the first register with the corresponding 
qubits of the second register and applying 2\^j){'ijjj \ — I if they are the same and applying the identity 
otherwise (i.e. conditional-(2|'0j)('0j| — /)). The operator 2\4>j){ipj\ — / is easy, since 2\ipj){ipj\ — I = 
jj^n-2j (2|0) (0| — , where H is the Hadamard gate and the superscript n — 2j indicates that 

Hadamard gate is applied to the last n — 2j qubits. Therefore, Q'j is easy and this completes the 
proof. □ 

Note that all unitary operators Uk are easy if and only if the operation 

fc 

which implements Uk conditionally, is easy. The operator Qj implements the reflection about the 
state lipj.x) conditionally, therefore Theorem 1 gives a necessary and sufficient condition for quantum 
one-way permutations in terms of the reflection about a quantum state. 



3 General View 

It is well-known that if a state is easy, then the reflection about the state is easy Does the 
inverse hold? We call its inverse, i.e., the statement "if the reflection about a state is easy, the state 
itself is easy" , Assumption A. In this section, we revisit both Grover's and our algorithm from the 
viewpoint of complexity of a state and the reflection about the state, and discuss the relationship 
between the existence of one-way permutations and Assumption A. 

First, let us revisit Grover's search problem and algorithm. In Q|, Grover considered the following 
problem called hereafter SEARCH. Let / : {0, 1}" {0, 1} be a function such that \ f^^{{l})\ = 1. 



5 



Then, the goal is to find / ^(1). Grover's algorithm for this problem (Algorithm B below) consists of 
the following steps. 

ALGORITHM B 

Step 1 (Preparation). 

Prepare the uniform superposition 

xe{o,i}" 

Step 2 (Iteration). 

Iterate Step 2.1 and Step 2.2. 

Step 2.1. Carry out the tagging operation given by 

E (-i)'-/-(^)|x)(x| = /-2iri(i)>(ri(i)|. 

a;e{0,l}" 

Step 2.2. Carry out the reflection about the state (i.e. the inversion about the average 
amplitude). 

Here, Step 1 and Step 2.2 are easy, and Step 2.1 can be implemented by querying the oracle 

Uf:\x)\b)^\x)\f{x)®b) 
twice, since for the reflection about the target state |/^^(1)), we have 

{(2iri(i)>(r 1(1)1 -I)® i}\xm = {UfH ® (2|i)(i| - i))Uf}\xm. 

By 0(\/2") iterations of Step 2, i.e., by 0(\/2") queries, we can get /^^(l) with high probability. 
Thus, when / is given as an oracle, this algorithm works quadratically faster than any possible classical 
algorithm. However, this algorithm is shown to be optimal |lo|, |l^, so that we cannot solve this 
problem by using at most queries polynomial in n. This implies that even if the reflection about the 
state \f^^{\)) is assumed to he easy, the state |/~"'^(1)) itself is not easy. 

Next, we shall relate Assumption A to the existence of quantum one-way permutations by revisiting 
Grover's algorithm for INVERT considered in the previous section. Grover's algorithm for INVERT 
(Algorithm C below) is as follows. 

ALGORITHM C 

Step 1 (Preparation). 

Prepare the uniform superposition 

E \y)- 

ye{o,i}" 

Step 2 (Iteration). 

Iterate Step 2.1 and Step 2.2. 

Step 2.1. Carry out the tagging operator 

o = i-2\r\x)){r\x)\. 

Step 2.2. Carry out the reflection about the state 1-0). 
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Similar to Algorithm A, Step 1 and Step 2.2 are easy. The operator O in Step 2.1 is a tagging 
operator and can be implemented by using the operator 

Uf:\y)\z)^\y)\f{y)®z). 

In fact, for any y £ {0, 1}" we have 

{(/-2|ri(x)>(ri(x)|)®/}|y)|0) = f//(/®(/-2|x)(a;|))f//|y)|0). 

Thus, given Uf as an oracle, we can compute f^^{x) with high probability by 0(V2") queries. This 
algorithm is also shown to be optimal [|l2j. Note that the operator 2|/~^(a;))(/~^(a;)| —I is performing 
the reflection about the state |/~^(a;)). Thus, Algorithm C shows that even if the reflection about the 
state \f~^{x)) is assumed to be easy, the state itself is not necessarily easy. 

Now, let us consider the case when / is a quantum one-way permutation. Then, the operator 
Uf is easy, so that 2\f~-^{x)){f~^{x)\ — / is also easy. Therefore, from Algorithm C, we can infer 
the following interesting fact: // there exists a quantum one-way permutation, there exists a counter- 
example to Assumption A. 

Compared to Algorithm C, the Algorithm A for inverting / is exponentially faster, providing that 
Qj's are easy. The operator Qj is a unitary operator which reflects any given state about the state 
\ipj,x), where x is the value of the first register. Does the state \tpj.x) also provide a counter-example 
to Assumption A? The answer is no, since it is shown in the proof of Theorem 1 that if Fn is easy, we 
can generate the state \4'j,x) by a polynomial size network. Therefore we have the following corollary 
from Theorem 1. 

Corollary 2: The following conditions are equivalent. 

• / is not a quantum one-way permutation. 

• All states \4'j,x), where j g {0, f — 1} and x £ {0, 1}", are easy. 

• The reflections about all states are easy. 

So far we have considered only the exact setting. However, using the diamond metric and its 
properties ||l3|, the similar results also hold in the bounded error setting. In the latter setting we 
define the notions of easy operator, easy state, and quantum one-way function as follows. A trace- 
preserving completely positive superoperator (CPSO) U is defined to be approximately easy if there 
exists a family of polynomial size quantum networks {N^} such that 

\\U-U,\\o<e, 

where Ue is the operator implemented by Nc exactly. A mixed state p is defined to be approximately 
easy if there exists an approximately easy CPSO U such that 

C/(|0)(0|) = p. 

Now we can give the definition of quantum one-way function in the bounded-error setting. A function / 
is quantum one-way if / is one-one, / is honest, / is approximately easy, and is not approximately 
easy, where / is quantum approximately easy if the unitary operator Uf : i— *■ \x)\z ® fix)) is 
approximately easy. It is straightforward to check that if there exists a quantum one-way permutation, 
then there exists a counter-example for the Assumption A in the bounded error setting. 
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4 Discussions 



We have reduced the problem of the existence of a quantum one-way permutation to the problem 
of constructing a polynomial size network for performing the specific task of the reflection about a 
given state. Ambainis [l2| proved that inverting a permutation on the n-bit strings in the standard 
query model requires il{\/2^) queries. In the standard query model a quantum computation with 
T queries is a sequence of unitary operators 

C/o -> O -> C/i ^ O > Ut-1 -^O^Ut, 

where t/j's are arbitrary unitary operators independent of the input qubits, and O is the standard 
query operator. However, our algorithm is consistent with Ambainis' result, since we consider the 
case that t/j's depend on the input qubits and this does not fit his model. 

Another related issue is the work of Chen and Diao where they attempted to present an 
efficient quantum algorithm for the problem SEARCH, which is similar to our algorithm for the 
problem INVERT. They mentioned that the tagging operation and the reflection about a given state 
which varies dynamically can be constructed by polynomial size networks, but they did not show the 
construction for their operations. (This construction is, of course, impossible given Grover's black 



box, since it would violate the optimality proof of Grover's algorithm |10|, [11] For our problem 

INVERT we have given the polynomial size network of the tagging operation and we have shown 
that the difficulty of the construction of the reflection operation is equivalent to the existence of the 
quantum one-way permutation. Furthermore it is an interesting open problem whether there exists 
a reduction from other types of one-way functions to constructing a polynomial size network for 
performing the reflection about a given state. 

On the other hand, we have seen that Grover's algorithm gives us an example of states that are 
difficult to prepare but the reflections about these states are easy, i.e., it provides a counter-example to 
Assumption A assuming the existence of one-way permutations. This investigation of Assumption A 
seems to be useful for cryptographic applications since recently, quantum bit commitment protocols 
based on quantum one-way permutations have been proposed JTgI , p^ . Moreover, it is interesting 
to flnd such a concrete counter-example without the existence of quantum one-way permutations. 
Presenting such examples of states may provide us with more ideas for constructing novel quantum 
algorithms. 

Acknovirledgements This work was supported by EPSRC, the European grant EQUIP and the 
QUIPROCONE grant. 



References 

[1] M.A. Nielsen and I.L. Chuang (2000), Quantum Computation and Quantum Information^ Cam- 
bridge University Press. 

[2] P.W. Shor (1994), Algorithms Jar quantum computation: Discrete logarithms and factoring^ in 
Proceedings of 35th IEEE Symposium on Foundations of Computer Science, pp. 124-134. 

[3] L.K. Grover (1996), A fast quantum mechanical algorithm for database search, in Proceedings of 
28th ACM Symposium on the Theory of Computing, pp. 212-219. 

[4] C.H. Bennett, E. Bernstein, G. Brassard, and U.Vazirani (1997), Strengths and weaknesses of 
quantum computing, SIAM J. Comput., 26, pp. 1510-1523. 

[5] C.H. Papadimitriow (1994), Computational Complexity, Addision- Wesley. 



8 



[6 



[8 
[9 

[lo; 
[11 

[12: 
[13; 

[14 

[is; 
[16; 



J. GroUmann and A.L. Selman (1988), Complexity measures for public-key crypto systems, SIAM 
J. Comput., 17, pp. 309-335. 

L. Hemaspaandra and J. Rothe (2000), Characterizing the existence of one-way permutation, 
Theoret. Comput. Sci., 244, pp. 257-261. 

C.H. Bennett (1973), Logical reversibility of computations, IBM J. Res. Develop., 17, pp. 525-532. 

E. Kashefi, A. Kent, V. Vedral, and K. Banaszek (2001), On the power of quantum oracles, 
|quant-ph/0109104 . 



M. Boyer, G. Brassard, P. H0yer, and A. Tapp (1998), Tight bounds on quantum searching, 
Fortsch. Phys., 46, pp. 493-505. 

C. Zalka (1999), Crover's quantum searching algorithm is optimal, Phys. Rev. A, 60, pp. 2746- 
2751. 

A. Ambainis. (2000), Quantum lower bounds by quantum arguments, in Proceedings of 32th ACM 
Symposium on the Theory of Computing, pp. 636-643. 

D. Aharonov, A. Kitaev and N. Nisan (1998), Quantum circuits with mixed states, in Proceedings 
of 30th ACM Symposium on the Theory of Computing, pp. 20-30. 

R. Beal, H. Buhrman, R. Cleve, M. Mosca and R. de Wolf. (1998), Quantum lower bounds by 
polynomials, in Proceedings of 39th IEEE Symposium on Foundations of Computer Science, pp. 
352-361. 



G. Chen and Z. Diao (2000), An exponentially fast quantum search algorithm, quant-ph/001 1 109 



P. Dumais, D. Mayers and L. Salvail (2000), Perfectly concealing quantum bit commitment from 
any one-way permutation. Advances in Cryptology ~ EUROCRYPT 2000, B. Prcneel (Ed.), 
Lecture Note in Computer Science 1807, Springer- Verlag, pp. 300-315. 



[17] M. Adcock and R. Cleve. (2001), A quantum Goldreich- Levin theorem with cryptographic appli- 
cations, quant-ph/0 108095 . 



9 



